CVE-2024-52525

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-52525

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52525.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-52525

Aliases

GHSA-w7v5-mgxm-v6gm

Published

2024-11-15T16:30:28.401Z

Modified

2025-12-05T07:21:28.998464Z

Severity

1.8 (Low) CVSS_V3 - CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N CVSS Calculator

Summary

Nextcloud Server User password is available in memory of the PHP process

Details

Nextcloud Server is a self hosted personal cloud system. Under certain conditions the password of a user was stored unencrypted in the session data. The session data is encrypted before being saved in the session storage (Redis or disk), but it would allow a malicious process that gains access to the memory of the PHP process, to get access to the cleartext password of the user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52525.json",
    "cwe_ids": [
        "CWE-312"
    ]
}

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

e15fcecaf0d382cebff924ec2b1f5319e130c0e8

Fixed

d52e850623bd7f9ea8d880a39e440d58e7145257

Database specific

{
    "versions": [
        {
            "introduced": "28.0.0"
        },
        {
            "fixed": "28.0.12"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

36ae775aa7c9af22bf33645a2d8807206ec6c85f

Fixed

b35875a225e754cb4fc60e9b1d45d4178ac59d6d

Database specific

{
    "versions": [
        {
            "introduced": "29.0.0"
        },
        {
            "fixed": "29.0.9"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

656488893e2175e19fbe273d76a5e16a598000c7

Fixed

c23cdf609c38966f00fd44866086767eb7d5f1b2

Database specific

{
    "versions": [
        {
            "introduced": "30.0.0"
        },
        {
            "fixed": "30.0.2"
        }
    ]
}

Affected versions

v28.*

v28.0.0

v28.0.1

v28.0.10

v28.0.10rc1

v28.0.11

v28.0.11rc1

v28.0.12rc1

v28.0.12rc2

v28.0.1rc1

v28.0.2

v28.0.2rc1

v28.0.2rc2

v28.0.2rc3

v28.0.2rc4

v28.0.2rc5

v28.0.3

v28.0.3rc1

v28.0.3rc2

v28.0.4

v28.0.4rc1

v28.0.5

v28.0.5rc1

v28.0.6

v28.0.6rc1

v28.0.7

v28.0.7rc1

v28.0.7rc2

v28.0.7rc3

v28.0.7rc4

v28.0.8

v28.0.8rc1

v28.0.9

v28.0.9rc1

v29.*

v29.0.0

v29.0.1

v29.0.1rc1

v29.0.2

v29.0.2rc1

v29.0.2rc2

v29.0.3

v29.0.3rc1

v29.0.3rc2

v29.0.3rc3

v29.0.3rc4

v29.0.4

v29.0.4rc1

v29.0.5

v29.0.5rc1

v29.0.6

v29.0.6rc1

v29.0.7

v29.0.7rc1

v29.0.8

v29.0.8rc1

v29.0.9rc1

v29.0.9rc2

v30.*

v30.0.0

v30.0.1

v30.0.1rc1

v30.0.1rc2

v30.0.2rc1

v30.0.2rc2